ICO resumes investigation into real time bidding (RTB) and AdTech
What will be the ultimate impact of the ICO’s continuing investigations into RTB and AdTech?
The key takeaway
In May 2020 the ICO paused its investigation into RTB and the AdTech industry, since they prioritised activities responding to the COVID-19 pandemic. The ICO has now resumed the investigation into RTB and data processing. The ICO has said that the complex system of RTB uses people’s sensitive personal data to serve ads requires explicit consent, which is currently not happening.
Having started its review into RTB in February 2019, the ICO paused its investigation into the matter following the start of the pandemic. With things beginning to settle down, the ICO has now been able to resume its investigation.
In a statement in early 2020, the ICO highlighted a lack of transparency due to the nature of the supply chain and the role different actors play in RTB. Six months were given to the RTB industry to work on the points raised by the ICO, which ended in May 2020, when they paused the investigation. The key concerns at the time were, among others:
- the use of “legitimate interests” as the lawful basis for the processing of personal data in RTB being insufficient
- the lawfulness of processing of special category data and the processing of non-special category data without consent
- the reliance on contracts for data sharing across the supply chain
- the lack of transparency on what happens with users’ data wider security and data sharing issues caused by this data supply chain.
The ICO has announced that its investigation will continue with a series of audits focusing on data management platforms. They will also be issuing assessment notices to specific companies in the coming months where necessary.
Naturally, the ICO will be publishing their final findings at the conclusion of the investigation.
Why is this important?
The sharing of data with potentially hundreds of companies, without properly assessing and addressing the risk of these counterparties, raises huge questions from a data compliance perspective, including around the security and retention of this data.
Since the ICO is committed to undertaking further investigations and assessments as to the processing of data for RTB, organisations should be reviewing their practices urgently with a view to avoiding any possible action by the ICO.
Any practical tips?
All organisations operating in the RTB space should assess how they use personal data as a matter of urgency. It’s no easy task, but any review should focus on users’ consent, legitimate interests, data protection by design and any data protection impact assessments, including through their supply chain. The ICO’s guidance should be kept front of mind. Data compliance and RTB is an issue that is not going away.